Tuesday, July 31, 2007
"Our analysis shows how ISPs in some countries are relatively slower than others to shut down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 92 attacks, while in Australia the average for 98 attacks has been almost one week for a single shutdown. Other countries slow to respond include the USA and India. Countries identified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia."
Moreover, May's report from the Anti-Phishing Working Group has an ever better sample consisting of 37438 unique phishing sites, where the average time online for a phishing site was 3.8 days, and the longest time online was 30 days. Why are certain ISPs slower in shutting down phishing sites compared to the others? What motivates the best performing ones to react immediately? It's all a matter of perspective. Let's consider the facts :
- DIY phishing kits such as Rock Phish significantly increased the number of phishing sites, but sacrificed efficiency for quality. Rock Phish's major strength is Rock Phish's major weakness, namely that of centralization, so the phisher ends up with a single IP hosting phishing sites for numerous banks. In fact, according to IBM's X-Force, single domains were carrying an average of 1000 phishing sites
- Phishing sites hosted at home users PCs are harder to shut down compared to those hosted on a web server
- Russia is responding faster than the U.S because according to the APWG's Countries hosting phishing sites stats, Russia's percentage is 7.41% compared to the U.S 32.41%. We have the same situation with countries hosting trojans and downloaders where Russia accounts for 6% compared to China with 22%. It does not mean Russia is out of the game, not at all, but the way you may have a Russian phishing/malware campaign hosted in the U.S, you may also have a U.S phishing/malware campaign hosted in Russia
- The lack of incentives for ISPs to be in a hurry and the lack of accountability for them if they are not in a hurry. Perhaps if the vendors developing the market segment for shutting down phishing sites start sharing revenues in a win-win-win fashion, it would make a difference if no legislations are in place
- XSS vulnerabilities within E-banking sites often act as redirectors, so while you're shutting down the yet another .info domain, the XSS is still there waiting to get abused
- In a fast-flux empowered malicious economies of scale attacks, any stats should be considered at least partly "scratching the surface" only due to the fact that, while the redirector may be in the U.S, the second one with the phishing site may be in Russia, and the third one hosting the malware in Taiwan. And so, while you've shut down the most obvious nodes, the campaign remains in tact, and gets automatically re-mixed to achieve malicious diversity using the same domain names, but under different and dynamic IPs next time
What would be the most effective approach for the most targeted financial services to protect their customers from phishing attacks? Hire brandjacking monitoring services to shut down efficiently and persistently, the generated phishing sites with DIY phishing kits, educate E-banking customers, or do both? Assess their unique situation and balance while considerating that some folks still don't know what phishing really is. Now, try explaining to them what form input grabbing malware tools such as the Nuclear Grabber are.
A Client Application for Secure E-banking?
The Rock Phish Kit in action
The Brandjacking Index
Security threats to consider when doing E-banking
Banking Trojan Defeating Virtual Keyboards
Defeating Virtual Keyboards
Packed binary obtained two weeks ago :
File size: 205917 bytes
packers: PECompact, NsPack
packers: PECOMPACT, BINARYRES, NSPACK
packers: ZIP, PecBundle, PECompact
Packed binary as of today :
File size: 76800 bytes
packers: PECOMPACT, BINARYRES
packers: PecBundle, PECompact
Both binaries have a relatively high detection rate, but that's not the point. The point is the ongoing trend of malware embedded web sites, which in combination with a fast-flux network prompts the need for re-evaluating your security policies and preemptive security strategy.
Fast-flux networks graph courtesy of the Honeynet Project & Research Alliance.
Monday, July 30, 2007
Creation Date........ 2007-07-25
Expiry Date.......... 2008-07-25
Some developments on the cybersquatting front :
"The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its national campaign against Internet fraud. A non-profit organization based in Washington D.C., CADNA is leading the way in confronting cybersquatting – the fraudulent abuse of domain name registration that threatens the future viability of Internet commerce. Although the Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting remains an underestimated threat. The number of .com domain names alone has doubled since 2003, and the number of cybersquatting disputes being filed with the World Intellectual Property Organization (WIPO) is on the rise – up 25% in 2006 from 2005. According to a recent independent report, cybersquatting increased by 248% in the past year."
So far, this remains the most creative typosquatting "scam to come" I've seen in a while.
Then, we are taken to a not so sophisticated obfuscation pointing us to the vulnerabilities exploited and the actual binary. Detection rates for the loader so far :
Saturday, July 28, 2007
Papers and Publications :
- Exploiting the iPhone - Paper + Video
"Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is currently looking into it."
- The Evolution of GPCode/Glamour RansomWare
"This report contains a description of the more obscure, previously undocumented traits belonging to the GPCode/Glamour trojan. The code is a modified version of the Prg/Ntos family which was detailed in depth during our Encrypted Malware Analysis in November 2006. While a majority of the functionality has not changed since then, this recent variant is distinctive enough to warrant additional research. In
particular, the trojan is now equipped with the ability to encrypt a victim’s files on disk. The motive for adding this feature is clearly monetary, as the victim is advised that the files will remain encrypted unless $300 is turned over to the authors, in exchange for a decryption utility."
- A Guide to Security Metrics
"In the face of regular, high-profile news reports of serious security breaches, security managers are more than ever before being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Some experts believe that key among these should be security metrics. This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program."
- Secure File Deletion - Fact or Fiction?
"This paper will deal with how and where some of these files are created and how to securely remove them from a system. Microsoft Windows operating systems and associated applications will be the main focus. This paper is divided into two main sections, the first section is designed to be a primer on the types of information that can be found on a hard drive. It is not designed to be a fully detailed data recovery/computer forensics tutorial, but is designed to show security professionals how much information can be found on a hard drive. The second section deals with the concepts behind securely deleting files and associated data from a hard drive."
- Group Policy Extensions in Windows Vista and Windows Server 2008 - Part 1
"Some of the more useful new group policy settings included in Windows Server 2008 and Windows Vista."
- Hooking CPUID - A Virtual Machine Monitor Rootkit Framework
"One of the fascinating debates taking place around the web is whether or not an OS can detect if it is running inside a VM. Surely a VMM will never be able to fool an external clock but discounting that, who knows? In any regard, I have written a small VMM that attempts to place the host OS into a VM and then handles the basic subset of unconditional VM-exits. Great. Now what?"
- BIND 9 DNS Cache Poisoning
"This weakness can be turned into a mass attack in the following way: (1) the attacker lures a single user that uses the target DNS server to click on a link. No further action other than clicking the link is required (2) by clicking the link the user starts a chain reaction that eventually poisons the DNS server?s cache (subject to some standard conditions) and associates fraudulent IP addresses with real website domains. (3) All users that use this DNS server will now reach the fraudulent website each time they try to reach the real website."
- Secure Programming Best Practices for Windows Vista Sidebar Gadgets
- Wardriving Bots
"wardriving-bot's are autonomous systems that are installed in a train, car, bus, taxi or truck and collect wardriving data's, like SSID, GPS-data, MAC address and all other stuff, that kismet can handle. after collecting this data, encrypting, the bot try to send this information back to the Bot-Handler with using a "open" accespoint or a HotSpot."
- KYE: Fast-Flux Service Networks
"This whitepaper details a growing technique within the criminal community called fast-flux networks. This is an architecture that builds more robust networks for malicious activity while making them more difficult to track and shutdown. This is the first KYE paper we are releasing in both .pdf and .html format."
Security Tools :
- Atsiv v1.01 - load, list and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, 2K3 and Vista
"Atsiv is a command line tool that allows the user to load and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, Windows 2K3 and Windows Vista. Atsiv is designed to provide compatibility for legacy drivers and to allow the hobbyist community to run unsigned drivers without rebooting with special boot options or denial of service under Vista."
- Secunia Personal Software Inspector - Checks Over 4,200 Applications for Latest Patches
"The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors."
- HIHAT - High Interaction Honeypot Analysis Toolkit
"The High Interaction Honeypot Analysis Toolkit (HIHAT) allows to transform arbitrary PHP applications into web-based high-interaction Honeypots. Furthermore a graphical user interface is provided which supports the process of monitoring the honeypot and analysing the acquired data."
- GPCode Ransom Trojan Decoder
"Recent reports of GPCode, a Ransom Trojan that encrypts files and asks for $300.00 to unlock the victim files have been hitting headlines in the news. Secure Science has offered a freely available decoder for freeing up the files without any problems. This program was written as open source software in the interest of support for other researchers. If you have become a victim of the GPCode Ransom trojan, please download a copy and run it on your systems and it will decrypt the files back to the state they were in before the trojan infected the computer."
- Rootkit Detective v1.0
"McAfee Rootkit Detective is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system."
- CSRF Redirector
"Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated."
- WordPress Security Scanner
"The WordPress version survey was largely successful; it was released on both Slashdot and SecurityFocus which I am quite pleased about, but now onto something even more interesting - that was just the appetizer. I received alot of questions regarding how my survey was conducted. I was going to write an aftermath post (which I still may do), but decided to release my tool, "wp-scanner" instead."
- WAZ v 1.0 - Windows Anti DDoS Tool
"Through my study and research I found lots of networks that are under the hood of Ddos attacks.WAZ is a solution to this. The tool is fully functional and effective in stopping the Ddos agents. You can find lots of Ddos agents like Trinoo, WinTrinoo, Shaft, Mstream, Stacheldhart Ver 1 & 2, Trinity, Entitee etc. They are considered to be the best agents to launch distributed denial of service attacks."
- The Ultimate Distributed Cracker
"The main purpose of UDC is the recovery of the passwords by the given hash-values (NTLM, MD5, SQL, SHA1 and 40+ other). The typical user can recover own forgotten passwords, for example, Windows NT/XP/2003 authorization passwords. Multithreaded and distributed recovery modes are supported. The new method for precalculating Hybrid Attack using Rainbow Tables is introduced. Now there's nothing unbreakable"
- MITRE Honeyclient Project
"Honeyclients can proactively detect exploits against client applications without known signatures. This framework uses a client-server model with SOAP messaging as the primary communication method, and uses the free version of VMware Server as a means of virtualizing the client environment."
- PSA3 - PHP Source Auditor III
"PHP Source Auditor III (or PSA3) was created in order to quickly find vulnerabilities in PHP source code. Written in Perl."
"Any information obtained using the scanner will not be logged in any way. All new router form submissions are anonymous"
Services & Misc :
- 10 Free Services to Send Self-Destructing/Auto-Expiring Emails
"Self Destructing emails delete the original message once it has been read by the recipient. While they are not completely fool proof, for example, someone can take a photo of the message with the camera, the record on the Internet does not remain. Here are a few self destructing email providers that you might find useful for sending emails. Some even provide free plug-ins for sending emails through a desktop based email client such as Outlook or Thunderbird."
- Video - Using Darik's Boot and Nuke (DBAN) to Totally Wipe a Drive
"Another continuation of my file carving video and selective file shredding (DOD 5220.22-M) to thwart forensics tools video, this video shows how to use Darik's Boot and Nuke (DBAN) to totally wipe a drive. DBAN is a great tool to add to your anti-forensics tool box."
- Videos from the ToorCon Information Security Conference
- CISSP Certification Verification Site
"Check (ISC)? credential status for an individual or find credential holders within a company or geographic area."
Thursday, July 26, 2007
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
The Current State of Internet Jihad
Characteristics of Islamist Web Sites
A List of Terrorists' Blogs
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
Message source spoofed from : corporateclients.refj2225451hh.ib @ rbs.co.uk
Message content : Dear Royal Bank of Scotland customer,
The Royal Bank of Scotland Customer Service requests you to complete Digital Banking Customer Confirmation Form (CCF). This procedure is obligatory for all customers of the Royal Bank of Scotland. Please select the hyperlink and visit the address listed to access Digital Banking Customer Confirmation Form (CCF). Again, thank you for choosing the Royal Bank of Scotland for your business needs. We look forward to working with you. ***** Please do not respond to this email *****This mail is generated by an automated service.
Sender's IP : Listed by only one of the popular anti-spam blacklists
Domain info : buhank.info ; 126.96.36.199 ; Created On: 25-Jul-2007 18:53:03 UTC ; Expiration Date: 25-Jul-2008 18:53:03 UTC.
HTTP/1.1 200 OK
Date: Wed, 25 Jul 2007 22:21:30 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7f PHP/4.4.4
Last-Modified: Tue, 26 Jun 2007 19:05:56 GMT
Main index returns "209 Host Locked" message typical for Rock Phish.
Phishing URL : sessionid-02792683.rbs.co.uk.buhank.info/customerdirectory/direct/ccf.aspx
Original URL : rbs.co.uk/Bank_Online/logon_to_digital_banking/default.asp
It's cost-effective not to register a phishing domain for longer than an year, given its "lifetime", that's for sure. Having your own certificate authority is even better, given they've actually implemented it since there's no httpS option available, thus this phishing campaign is doomed to failure. And while the message and the spoofed site look relatively decent, the people behind this phishing campaign are newbies using the Rock Phish phishing kit. Efficiency of DIY phishing kits VS the quality of the phishing site. More info on this campaign and Rock Phish, as well as SpamHaus.org's recent efforts on limiting the lifetime of Rock Phish domains.
Rock Phish screenshot courtesy of Fortinet.
Related posts :
Phishing Domains Hosting Multiple Phishing Sites
Interesting Anti-phishing Projects
Taking Down Phishing Sites - a Business Model?
Take this Malicious Site Down - Processing Order..
Anti-phishing Toolbars - Can You Trust Them?
Wednesday, July 25, 2007
Malware embedded web sites are steadily gaining a priority in an attacker's arsenal of infection and propagation vectors, and we've been witnessing the trend for over an year and a half now. Malware authors seem to have found an efficient way to hijack, inject and exploit legitimate sites or Web 2.0 services in order to serve the obfuscated payload which is no longer purely relying on social engineering tactics, but is basically exploiting unpatched client side vulnerabilities to infect the visitors. Also, malware authors seem to have started thinking as true marketers, taking into consideration that a visitor will go through a potentially malware embedded site only once and wouldn't visit it given the lack of content -- blackhat SEO garbage -- so that they've stopped relying on having a malicious site exploit a single vulnerability only, and started hosting multi-browser, multi-third-party malware embedded sites, thus achieving malicious economies of scale.Here's a great summary courtesy of Sophos showcasing the increasing number of sites with malware embedded payload :
Thursday, July 19, 2007
Wednesday, July 18, 2007
Moreover, what used to a situation where malware authors were doing over their best to maintain their releases as invisible as possible, nowadays, malware is directly exploiting vulnerabilities within anti virus software to evade detection or get rid of the anti virus software itself. In fact, malware authors became so efficient so that vendors are coming up with very interesting stats based on the greediest, smallest, largest and most malicious malware on a monthly basis.
"When the project was deployed at the ZeroOne Festival is San Jose, California, the system sent attendees messages about where they had been and asked about their intentions for being there. For example, one such message read, “You were in a flower shop and spent 30 minutes in the park; are you in love?” Those contacted were eventually led to the Loca kiosk where they could obtain a log of all their activities, which sometimes reached over 100m long. It should be noted that movement was only tracked on phones with discovery mode turned on."
Marketing research and faciliating purchases aren't the only incentives for marketers and of course malicious attackers looking for innovative ways to socially engineer you to accept a bluetooth connection, even an attachment. Measuring the ROI of advertising and sales practices that used to lack reliable metrics is becoming rather common, like for instance this Big Brother style billboards that measure how many people actually looked at them :
"If you’ve ever seen a poster in the mall that you’ve liked and stared at it for some time, chances are, that poster will be staring right back. This is, however, not so much of a "Big Brother" gimmick as much as it is a marketing tool. From xuuk, a Canadian-based company specializing in cutting-edge technology, comes the eyebox2. This contraption is essentially a tiny video camera surrounded by infrared light-emitting diodes. It can record eye contact with 15-degree accuracy at a distance of up to 33 feet, so even a simple glance from someone in passing will be tallied into the score."
I can certainly speculate that this technology will evolve in a way that it will be able to tell whether it was a male, or a female that looked at it, and if data from local stores gets syndicated to tell the system the prospective customer took notice of the store itself, it would provide the marketers with enough confidence to SMS you a discount offer valid in the next couple of hours only while you're still somewhere around a local store.
The convergence of surveillance technologies is a fact, and what's measuring the ROI of a marketing campaign to some, is an aggressive privacy violations for others. But as we've already seen the pattern of such technologies around the world, first they get legally abused, then customers suddenly turn into vivid privacy activists, to later on have the option to opt-in and opt-out so that everyone's happy.
Tuesday, July 17, 2007
Here's yet another related story this time targeting Linkin Park :
"In a plea agreement, she said she was able to see the family's photographs and travel plans, as well as
information about a home they had purchased. She also read messages sent between Linkin Park's record company and lawyer, including a copy of the band's recording contract."
Meanwhile, more targeted attacks make their invisible rounds across the world :
"On June 26, MessageLabs intercepted more than 500 individual email attacks targeted toward individuals in senior management positions within organizations around the world. The attack was so precisely addressed that the name and job title of the victim was included within the subject line of the email. An analysis of the positions targeted reveals that Chief Investment Officers accounted for 30 percent of the attacks, 11 percent were CEOs, CIOs accounted for almost seven percent and six percent were CFOs."
For quite some time spammers have been segmenting and sort of data mining their harvested emails databases to not only get rid of fake emails and ones on purposely distributed by security companies, but to also start offering lists on a per country, per city, even per company basis. In a Web 2.0 world, top management is actively networking in way never imagined before, and despite that privacy through obscurity may seem a sound approach, someone out there will sooner or later get malware infected and have their HDD harvested for emails, thus exposing the what's thought to be a private email for a top executive. I often come across such segmented propositions for specific emails of specific companies, and even more interesting, people are starting to request emails for certain companies only, so that they can directly target the company in question with a typical zero day malware packed and crypted to the bottom of its binary brain.
Despite all these emerging trends, we should never exclude the possibility for a guerilla marketing campaign based on a celebrity's leak of personal, often nude personal data, a technique in the arsenal of the truly desperate.
Wednesday, July 11, 2007
"Once we receive personally-identifiable information, we take steps to protect its security on our systems. In the event we request or transmit sensitive information, such as credit card information or Social Security Numbers, we use industry standard, secure socket layer ("SSL") encryption. We limit access to personally-identifiable information to those employees who need access in order to carry out their job responsibilities."
Common privacy assurance criteria on major merchant's sites remain :
- TRUSTe certificate
- Hackersafe check
- Compliance with industry standard security best practices
Best practices are a necessary evil, evil because what they're missing is exactly what attackers are exploiting - the pragmatic vulnerabilities to obtain the data in question compared to entering the target through the main door. Back in the times of the dotcom boom when Web 2.0's mature business models were a VC's dream come true, the overall perspective of Internet crime had to do with the concept of directly transferring funds from the a hacked through network vulnerabilities bank, while in reality, from an attacker's point of view it's far more effective to target its customers directly. Which is exactly the same case with E-commerce and privacy, either the merchant will store your business relationship with them and expose it, or you will somehow leak it out.
Afterlife Data Privacy
The Future of Privacy = Don't Over-empower the Watchers
Anonymity or Privacy on the Internet?
U.K's Telecoms Lack of Web Site Privacy
Big Brother Awards 2007
A Comparison of U.S and European Privacy Practices
Monday, July 09, 2007
Friday, July 06, 2007
Back in December, 2005, the infamous WMF vulnerability got sold for $4000 to be later on injected into popular sites, and embedded whereaver possible. The idea behind this attack? Take advantage of the window of opportunity by the time a patch by Microsoft is released, but instead of enjoying the typical advantage coming from full disclosure exploit and vulnerabilities sites, the attackers went a little further, they also wanted to make sure that the vulnerability wouldn't even appear there at the first place. And while it later became a commodity, WMF DIY generators got released for the script kiddies to generate more noise and the puppet masters to remain safe behind a curtain of the click'n'infect kiddie crowd.
Several months later, hinted by a person whose the perfect representation of the phrase "Those who talk know nothing, those who don't talk they know" tipped me on a zero day shop site -- The International Exploits Shop -- that was using a push-model that is a basic listing of the vulnerabilities offered and the associated prices, even taking advantage of marketing surveys to figure out the median price customers would be willing to pay for a zero day vulnerability.
Commercializing vulnerability research the way the company is doing it, will inevitably demonstrate the lack of communication and incentives model between all the parties in question. Moreover, if you think that a push-model from the researcher compared to a pull one, even on demand is better think twice - it isn't. If I'm a vendor, I'd request a high profile vulnerability to be found in my Internet browser in the next two months and offer a certain financial incentive for doing so, compared to browsing through listings of vulnerabilities in products whose market share is near the 1%. For the computer underground, or an information broker, there's no such thing as a zero day vulnerability because they understand the idea that in times when everyone's fuzzing more effectively than the vendors themselves, or transparency and social networking has never been better, a zero day to some is the last month's zero day to others.
Questions remain :
- how do you verify a vulnerability is really a zero day, when infomediaries such as iDefense, Zero Day Initiative or Digital Armaments delay "yesterday's" security vulnerability or keep you in a "stay tuned" mode? How can you be sure you as an infomediary are not part of a scheme that's supplying zero days to both the underground and you?
- why put an emphasis on something's that's a commodity, but forgetting that closing a temporarily opened up window of opportunity posed by today's zero day will lose its value in less than a minute by the time an IDS signature takes care of it while a patch is released? In exactly the very same fashion of malicious economies of scale, a stolen personal and financial information is lossing value so that the attackers are trying to get rid of it as soon as possible, by the time it value doesn't decrease to practically zero. Stay tuned for a zero day vulnerabilities cash bubble.
- how do you put a value on a vulnerability and what is your criteria? Of course, monocultural OSs get a higher priority, but does this mean that a zero day in MAC would get more bids because of the overall perception that it's invincible and the verification of such vulnerability would generate endless media echo effect, while someone's checking your current zero day propositions to see if the one he came across is still not listed there? For instance, Wabisabilabi have posted a Call for iPhone vulnerabilities in the first days of their launch.
Theoretically, if everyone starts selling zero day vulnerabilities they find, there will be people who will superficially increase a zero day's value by holding it back and keeping quiet for as long as someone doesn't find it as well. Here's an interview I took from David Endler at the Zero Day Initiative you may find informative, and more opinions on the topic - Computerworld; Dark Reading; Slashdot; The Register; TechTarget; Heise Security; Techcrunch, and an interesting quote from a BBC article that the initiative is aiming to limit the flow of vulnerabilities to the underground :
"By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of hi-tech criminals."
It would have absolutely zero effect on the flow of vulnerabilities in computer underground circles, mostly because if someone likes the idea of getting a one time payment for its discovery, others would get a revenue stream for months to come by integrating it into the underground ecosystem. Even the average MPack attack kit, compared to others I've seen showcases the reality - a huge number of people are infected and no zero day vulnerabilities are used but ones for which patches are available for months. Moreover, they don't just buy stockpiles of zero day vulnerabilities, but are actively discovering new ones as well and holding them back for as long as possible as I've already mentioned.
And another one from CNET :
"WSLabi is backed by about 5 million euros ($6.8 million) from individual investors, and hopes to float on a stock exchange (probably London's AIM or a similar exchange in Oslo) in around 18 months."
Is this for real, and if so, it makes it yet another investment in the information security market to keep an eye on in the very same fashion I've been following and speculating on SiteAdvisor's eventual, now real acquisition. But WSLabi's road to an IPO would be a very, very bumpy one. Everyone's excluding the obvious, namely that the biggest and most targeted vendors could ruin WSLabi's entire business model by starting to offer financial incentives let's call them for zero day vulnerabilities, or perhaps keep it pragmatic, namely ignore the fact that someone's trading with zero days regarding their products mainly because the vendors cannot be held liable for not providing patches in a timely manner or not reacting to the threat.
Two projects worth considering are the ElseNot one, listing exploits for every Microsoft vulnerability ever, and eEye's Zero Day Tracker, keeping track of unpatched vulnerabilities. Make sure what you wish for, so it doesn't actually happen.